Monday, March 08, 2010

Citibank exposes 600,000 customers' Social Security numbers

Ralph Remakel received a Citibank letter postmarked Feb. 16 that notified him of a recent Citibank error. It turns out he wasn't the only one.

In late January, Citibank mailed year-end tax statements to 600,000 Citi customers via the U.S. Postal Service that included the customers' Social Security numbers ... on the outside of the envelope.

Citi called the mistake a "processing error."

Although the nine-digit numbers were not identified as Social Security numbers (they were printed at the lower edge of the envelope with other numbers and letters and resembled a mail routing number), Citi still reacted to the mistake. EVP and Director of Citibank Client Services Norman White sent customer notification letters to every affected Citi customer during the week of Feb. 15, apologizing for the error.

The letter offered Citi customers the option to enroll in a free, 180-day credit monitoring service arranged by Citibank, but White also encouraged customers to regularly review activity on their accounts.

Remakel said he did not take advantage of Citibank's credit monitoring service offer.

"It’s like small change compared to the effect of me getting my Social Security number compromised," Remakel said. "Who would would really see it except the post office? But it’s not like it’s hidden in any way. What’s the easiest way to take
someone’s identity? Their Social Security Number."

(See the full text of the letter below)

Citibank said in a statement that the company believes the error produced little to no risk to its customers and that it has been corrected for all Citibank's future mailings.

"Although there is little or no risk to our customers, we decided to be completely transparent to our customers by notifying them of the error," the statement said. "It is an important part of our commitment to our customers to be fully transparent and to give them the peace of mind that comes from banking with people they trust."

Remakel, however, was not satisfied with his notification letter.

"I was almost to the point of calling them and saying, 'Hey, for your blunder, how about wiping out everything I owe you?',” he said.

Full text of Citibank's notification letter:

We are writing to inform you that due to a processing error the nine digits in your Social Security number, along with a string of other numbers and letters all resembling a mail routing number, were printed on the lower edge of an envelope containing a year-end tax statement that we mailed to you recently.

We believe there is little or no risk to you. However we wanted to bring this to your attention, apologize and confirm that changes have been made for all future mailings.

Should you nonetheless remain concerned, we have arranged for you at your option to enroll in a credit monitoring service at no cost to you for the next 180 days. To activate this coverage, please call the toll-free number or visit the website listed below and enter the redemption code. The redemption code is required for enrollment. As always, we encourage you to regularly review activity on your accounts.

Comments

This is happening at least once a month all over the US! I doubt this is just an error. Fortunately, I don't do business with Citibank. In fact, I don't feel that any bank has a right to have someone's SSN for any purposes beyond verifying someone's existence.

What good is a SSN when everyone is passing it around? Why are they even mailing it back to the person? SECURITY? HA! Its a number that is too frequently used and if the bank wants to assign a number they should give them their number.

Thank you CB. Taxpayers bail your sorryazz's, your CEO's defend their million dollar bonuses and outrageous fees, yet you screw-up in ways that a grammar school drop-out couldn't come up with. Congratulations. Oh, and that credit protection you still say we need and bill us for. How about just giving that to us without charging us for it. I'm not asking.

I don't understand how Mr Remakel can have the nerve to complain about the letter and the mistake, while not taking advantage of the 180 free service to monitor if someone is using he social security number to obtain credit. He seems confuse if he's really upset or not. Although it's obvious he's not going to actually do anything about it except whine. I'd be curous if he still has an account with them. C'mon you people, if you're really upset abou this stuff, show the company and close your accounts, put you're money where your mouth is, it's the only way things will change. It's like complaining about government and not voting.

I got my letter in the mail from Citibank, too, just like this guy. And like him, I didn't go for the "monitoring service" either. I could just picture, after "x" amount of days of the "free" service, that I'd be charged outrageous fees for that, too.

I swear, I give up. So-called SECURE places screw up all the time! While I'm not going to go around posting my ss# anywhere, I'm not going to let myself get stressed about it, either. If someone gets it, they get it. I'll take common sense precautions, but really, there's NO ONE and NO INSTITUTION that can truly be trusted. Unfortunately.

"Although there is little or no risk to our customers, we decided to be completely transparent to our customers by notifying them of the error," the statement said. "It is an important part of our commitment to our customers to be fully transparent and to give them the peace of mind that comes from banking with people they trust."

BS!! They have to notify customers by law if there is a potential breach or threat to their customer's credit info due to the bank's error! Don't try to turn this around and make it sound like the bank decided to do the right thing. They are required to by law!

Let's get real here. My husband is retired. His medicare number is his ss#. Don't you think every physician's office knows this? What's the point of protecting your SS# all your life when medicare will take that privlege away when you retire?

I agree with RomanB. ANYONE who has an account with a dysfunctional bank such as Citibank that is ridden with greedy CEO's needs to have their heads examined. I transferred all of my accounts out of Chase, because they are just as dysfunctional as Citibank and Bank of America. You all have the option to close your accounts with these banks and let them fail because that's what they deserve to do.

Here's the thing..if you're going to screw up and give out someone's SSN, then that "free" credit protection should be provided FOR LIFE, not just a frikkin 6 months and it should also cover any costs associated with identity theft.

The type of response you propose shows that a) You have no clue regarding the fact that the average ID thief will hold onto that information for YEARS before trying to use it, thereby making your 180 day protection totally useless. Or, b) That you just couldn't care less and it's just a PR move to get everyone off your back and make it look like you're doing the right thing.

Something similar happened to me with Chase a year or so ago, although they couldn't conclusively prove that my information was compromised. I enrolled in the free credit-monitoring service that they offered. At no time did I give the third party credit service a credit card or account number. I was never charged anything. I think I'm still getting free monthly reports in my e-mail even though the period has expired. Why not take advantage of it if it's free, even if you have to monitor it to make sure they don't charge you? You have to monitor it anyway--that's the idea. It does stink and they're idiots for not caring enough to think before printing the stuff where anybody can see it, but you've got to protect yourself if you can.

Very simple answer people:
PUNISH THE BANK FOR THEIR ERROR.
LEAVE CITIBANK, and let them know that securing your personal information is not a game.
There is WAY to much usage of SSN nowadays. i.e. ATT/Apple requiring your SSN to get an iPhone. That is complete bs. People need to realize how dangerous it is to give your ssn to anyone, and just refuse to do so. Don't give out your ssn EVER!

Yes, your SSN is not 'secure' anywhere. Usually due to plain stupidity. Mine was compromised and as I was resetting my online accounts I found a few very 'bright' practices by some of the major players. Discover card was the most outrageous example violating at least 3-4 very basic tenets of online/computer security. I am in computer field, and although not specifically in the security area, I am very aware what the good practices are. I called Discover to bring their deficiencies to their attention. The answer was appalling: "we are aware of these, our customers actually prefer that we do it this way, but we working to resolve these issues and will be taking care of them in several months." What??? I dare say that most customers are not aware of how dangerous it is. And, assuming they are actually doing something about it (which I doubt), for the next 'several' months they will continue what they are doing? Great...